Re: [openssl-users] M_ASN1_D2I_* replacement in OpenSSL 1.1.0
Hello, Thanks a lot. One more question if possible. Is there any way to express single element of the ASN1 sequence which can be any of ASN1_OCTET_STRING or ASN1_UTF8STRING and potentially other types? Or maybe there is some tutorial for new interface similar to something like http://www.umich.edu/~x509/ssleay/asn1-macros.html for old one? Best regards, A.K. On Mon, Sep 19, 2016 at 3:05 PM, Dr. Stephen Henson <st...@openssl.org> wrote: > On Mon, Sep 19, 2016, Aleksandr Konstantinov wrote: > > > > > Thanks. Your answer helped a lot and I'm progressing now. Could You > please > > also give me a hint what M_ASN1_BIT_STRING_dup/ASN1_BIT_STRING_dup > could be > > replaced with? > > > > ASN1_STRING_dup should work fine: ASN1_BIT_STRING is actually typedefed to > ASN1_STRING. > > Steve. > -- > Dr Stephen N. Henson. OpenSSL project core developer. > Commercial tech support now available see: http://www.openssl.org > -- > openssl-users mailing list > To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users > -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] M_ASN1_D2I_* replacement in OpenSSL 1.1.0
Hello, Thanks. Your answer helped a lot and I'm progressing now. Could You please also give me a hint what M_ASN1_BIT_STRING_dup/ASN1_BIT_STRING_dup could be replaced with? Best regards, A.K. On Fri, Sep 9, 2016 at 2:44 PM, Dr. Stephen Henson <st...@openssl.org> wrote: > On Fri, Sep 09, 2016, Aleksandr Konstantinov wrote: > > > Hello, > > > > Thanks for your answer. Here is one of d2i functions simplified: > > > > MYEXT * d2i_MYEXT(MYEXT ** myext, unsigned char ** pp, long length) { > > M_ASN1_D2I_vars(myext, MYEXT *, MYEXT_new); > > M_ASN1_D2I_Init(); > > M_ASN1_D2I_start_sequence(); > > M_ASN1_D2I_get_EXP_opt(ret->intmember, d2i_ASN1_INTEGER, 1); > > M_ASN1_D2I_get_opt(ret->intmember, d2i_ASN1_INTEGER, V_ASN1_INTEGER); > > M_ASN1_D2I_Finish(myext, MYEXT_free, ASN1_F_D2I_MYEXT); > > } > > > > > > Presumably the two fields aren't the same? I'll call one intmember2 for > this example. > > The above would translate to something like: > > ASN1_SEQUENCE(MYEXT) = { > ASN1_EXP_OPT(MYEXT, intmember, ASN1_INTEGER, 1), > ASN1_OPT(MYEXT, intmember2, ASN1_INTEGER) > } ASN1_SEQUENCE_END(MYEXT) > > IMPLEMENT_ASN1_FUNCTIONS(MYEXT) > > Then you include: > > DECLARE_ASN1_FUNCTIONS(MYEXT) > > in a header file. > > That generates four functions MYEXT_new(), MYEXT_free(), d2i_MYEXT() and > i2d_MYEXT(). > > Steve. > -- > Dr Stephen N. Henson. OpenSSL project core developer. > Commercial tech support now available see: http://www.openssl.org > -- > openssl-users mailing list > To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users > -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] M_ASN1_D2I_* replacement in OpenSSL 1.1.0
Hello, Thanks for your answer. Here is one of d2i functions simplified: MYEXT * d2i_MYEXT(MYEXT ** myext, unsigned char ** pp, long length) { M_ASN1_D2I_vars(myext, MYEXT *, MYEXT_new); M_ASN1_D2I_Init(); M_ASN1_D2I_start_sequence(); M_ASN1_D2I_get_EXP_opt(ret->intmember, d2i_ASN1_INTEGER, 1); M_ASN1_D2I_get_opt(ret->intmember, d2i_ASN1_INTEGER, V_ASN1_INTEGER); M_ASN1_D2I_Finish(myext, MYEXT_free, ASN1_F_D2I_MYEXT); } Regards, A.K. On Thu, Sep 8, 2016 at 10:23 PM, Dr. Stephen Henson <st...@openssl.org> wrote: > On Thu, Sep 08, 2016, Aleksandr Konstantinov wrote: > > > Hello all, > > > > I'm in process of porting our project to OpenSSL 1.1.0. We have part of > > code which heavily uses M_ASN1_D2I_* and M_ASN1_I2D_* for defining d2i_* > > and i2d_* methods for new extension. For example code uses > M_ASN1_D2I_vars, > > M_ASN1_D2I_Init and M_ASN1_D2I_start_sequence to start reading sequence > of > > items and then proceeds with M_ASN1_D2I_get_* for content of the > > sequence. Could please anybody advise what would be proper replacement > for > > those macros in OpenSSL 1.1.0? Is there any new API for such things? Or > > shall one do raw byte banging? > > > > Those old macros were updated way back in OpenSSL 0.9.7 and finally > retired in > OpenSSL 1.1.0. > > You need to write an appropriate ASN.1 module to encode and decode your > structure. There are many examples of this such as in crypto/cms/cms_asn1.c > and some much simpler ones in crypto/x509v3 which are perhaps better > suited to > you needs. > > They use macros which start with ASN1_SEQUENCE* > > Is it possible to look at your old code? Then I could give some more > specific > pointers. > > Steve. > -- > Dr Stephen N. Henson. OpenSSL project core developer. > Commercial tech support now available see: http://www.openssl.org > -- > openssl-users mailing list > To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users > -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
[openssl-users] M_ASN1_D2I_* replacement in OpenSSL 1.1.0
Hello all, I'm in process of porting our project to OpenSSL 1.1.0. We have part of code which heavily uses M_ASN1_D2I_* and M_ASN1_I2D_* for defining d2i_* and i2d_* methods for new extension. For example code uses M_ASN1_D2I_vars, M_ASN1_D2I_Init and M_ASN1_D2I_start_sequence to start reading sequence of items and then proceeds with M_ASN1_D2I_get_* for content of the sequence. Could please anybody advise what would be proper replacement for those macros in OpenSSL 1.1.0? Is there any new API for such things? Or shall one do raw byte banging? Best regards, A.K. -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: HTTPS connection hangs during SSL handshake
On Tuesday 11 September 2012, Supratik Goswami wrote: Is there no one in the community who can help me to find the cause of the problem ? Maybe You have firewall issues on office IP macine. Have You tried tcpdump or similar utility to check if there is something being sent/received? Regards, A.K. On Tue, Sep 4, 2012 at 7:21 PM, Supratik Goswami supratiksek...@gmail.com wrote: I am using OpenSSL version : openssl-1.0.0j in our production. I am facing a strange problem where the SSL connection simply hangs during initial handshake when requested from our office IP address. When I run the same command from another IP address it works fine. From office IP (Unsuccessful connection): [root@gateway ]# openssl s_client -connect test.mydomain.com:443 CONNECTED(0003) From a different IP (Successful connection): ubuntu@ip-10-0-0-10 (Development):~$ openssl s_client -connect test.mydomain.com:443 CONNECTED(0003) depth=3 /L=ValiCert Validation Network/O=ValiCert, Inc./OU=ValiCert Class 2 Policy Validation Authority/CN=http://www.valicert.com//emailAddress=i...@valicert.com verify error:num=19:self signed certificate in certificate chain verify return:0 --- Certificate chain 0 s:/O=*.mydomain.com/OU=Domain Control Validated/CN=*.mydomain.com i:/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./OU=http://certificates.godaddy.com/repository/CN=Go Daddy Secure Certification Authority/serialNumber=07969287 1 s:/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./OU=http://certificates.godaddy.com/repository/CN=Go Daddy Secure Certification Authority/serialNumber=07969287 i:/C=US/O=The Go Daddy Group, Inc./OU=Go Daddy Class 2 Certification Authority 2 s:/C=US/O=The Go Daddy Group, Inc./OU=Go Daddy Class 2 Certification Authority i:/L=ValiCert Validation Network/O=ValiCert, Inc./OU=ValiCert Class 2 Policy Validation Authority/CN=http://www.valicert.com//emailAddress=i...@valicert.com 3 s:/L=ValiCert Validation Network/O=ValiCert, Inc./OU=ValiCert Class 2 Policy Validation Authority/CN=http://www.valicert.com//emailAddress=i...@valicert.com i:/L=ValiCert Validation Network/O=ValiCert, Inc./OU=ValiCert Class 2 Policy Validation Authority/CN=http://www.valicert.com//emailAddress=i...@valicert.com --- Server certificate -BEGIN CERTIFICATE- REMOVED FOR SECURITY REASON -END CERTIFICATE- subject=/O=*.mydomain.com/OU=Domain Control Validated/CN=*.mydomain.com issuer=/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./OU=http://certificates.godaddy.com/repository/CN=Go Daddy Secure Certification Authority/serialNumber=07969287 --- No client certificate CA names sent --- SSL handshake has read 4827 bytes and written 435 bytes --- New, TLSv1/SSLv3, Cipher is RC4-SHA Server public key is 2048 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE SSL-Session: Protocol : TLSv1 Cipher: RC4-SHA Session-ID: 276ADBFB75336E7E870C5E109B4C5F6AFB8328C8775029EF135C5DA6F8608533 Session-ID-ctx: Master-Key: 22B470A67XXXB50ED6237BE9 Key-Arg : None Start Time: 1346765613 Timeout : 300 (sec) Verify return code: 19 (self signed certificate in certificate chain Any ideas ? -- Warm Regards Supratik __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Documentation
Hello. I'm trying to undesrtand OpenSSL API. But documentation on the web seems to be very incomplete. Could please anybody suggest me where to look for better documentation or easy to understand examples. Thanks in advance A.K. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
How private key is used ?
Hello. I'm considering using OpenSSL in my application. So I have read The SSL Protocol Version 3.0 at http://wp.netscape.com/eng/ssl3/draft302.txt . But I still can't understand, how during authentication phase parties are actually authenticated ? I could only find exchange of certificates (public keys). But they are already public. I know it should be private keys somehow involved into authentication. I'm sure I just missed something. Could anybody help me, please ? Regards, A.K. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]